Bugtraq mailing list archives
SECURITY HOLE: FormMail
From: paulp () CERF NET (Paul Phillips)
Date: Wed, 2 Aug 1995 21:28:43 -0700
In article <DCpnJ9.4Kq () k12 colostate edu> mattw () alpha pr1 k12 co us (Matthew M. Wright) writes:
My script at: http://alpha.pr1.k12.co.us/~mattw/scripts.html called FormMail does this exact thing. It works pretty much on any form and you just have to specify the email address of yourself in a hidden field in the form. I don't think that this script has a security whole in it as mentioned in a previous posting about a program called AnyForm. It pipes the information to you in a different way. Of course if there was anyone who wanted to check this I don't think it would hurt.
Okay folks, you know the drill. It does have a security hole, it has the *exact* same hole that AnyForm did, except that it is exploited via open instead of system. But a shell by any other name... Here's the offending line: open (MAIL, "|$mailprog $FORM{'recipient'}") || die "Can't open $mailprog!\n"; Maybe I should use all caps this time: DON'T PASS UNCHECKED USER DATA TO SHELLS. I just obtained /etc/motd from a site running FormMail, and it was sent to me courtesy of root... my oh my. Posted and emailed to the author and several mailing lists. Again, please direct followups to comp.infosystems.www.authoring.cgi. -- Paul Phillips | "Click _here_ if you do not <URL:mailto:paulp () cerf net> | have a graphical browser" <URL:http://www.primus.com/staff/paulp/> | -- Canter and Siegel, on <URL:pots://+1-619-220-0850/is/paul/there?> | their short-lived web site
Current thread:
- SECURITY HOLE: FormMail Paul Phillips (Aug 02)
- followup: local mail delivery der Mouse (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 03)
- PERL (was: Re: SECURITY HOLE: FormMail) VaX#n8 (Aug 07)
- Re: PERL (was: Re: SECURITY HOLE: FormMail) Philip Guenther (Aug 07)
- Guidelines for cgi-bin scripts Lee Silverman (Aug 08)
- Re: Guidelines for cgi-bin scripts Dave Andersen (Aug 08)
- Re: Guidelines for cgi-bin scripts Christian Wettergren (Aug 09)
- <Possible follow-ups>
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
- Re: SECURITY HOLE: FormMail Neil Woods (Aug 05)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)